Content and properties of syslog messages about alerts

Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.

The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.

The header of each syslog message about an alert contains the following information:

The body of a syslog message about an alert matches the information about that alert that is displayed in the program web interface. All fields are presented in the format "<key>=<value>". Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.

The keys, as well as their values contained in a message, are presented in the table below.

Information about an alert in syslog messages

Alert type

Alert name and description

Key and description of its value

file_web

File from web detected

A file was detected in network traffic.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • app = <name of the application-level protocol> (HTTP(S) or FTP).
  • requestMethod = <HTTP request method> (only for the HTTP(S) protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP(S) protocol).
  • request = <URL of the detected object> (only for the HTTP(S) protocol).
  • requestContext = <HTTP Referer header> (only for the HTTP(S) protocol).

file_mail

File from mail detected

A file was detected in mail traffic.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • KasperskyLabKATAmailEnvelopeFrom = <sender email address> (from the Received header).
  • KasperskyLabKATAmailFor = <recipient email address> (from the Received header).
  • KasperskyLabKATAmailRecievedFromIp = <IP address of the first server in the message delivery chain> (from the Received header).
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • externalId = <Email message ID>.
  • suser = <email address of sender>.
  • duser = <email addresses of recipients>.
  • msg = <message subject>.

ids

IDS event detected

An alert was generated by the Intrusion Detection System module.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • requestMethod = <HTTP request method> (only for the HTTP(S) protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP(S) protocol).
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • proto = <name of the network-level protocol> (TCP or UDP).
  • cs1 = <type of the detected object according to the Kaspersky Lab classification>.
  • cs2Label = <name of the IDS rule>.
  • cs2 = <number of the IDS rule>.
  • cs3 = <Intrusion Detection System module database version>.
  • requestMethod = <HTTP request method> (only for the HTTP protocol).
  • requestClientApplication = <User Agent of the client computer> (only for the HTTP protocol).
  • request = <URL of the detected object>.

url_web

URL from web detected

An alert was generated by URL Reputation technology or Sandbox in network traffic.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • cs1 = <list of categories to which the URL of the detected object belongs>.
  • requestMethod = <HTTP request method>.
  • requestClientApplication = <User Agent of the client computer>.
  • request = <URL of the detected object>.
  • requestContext = <HTTP Referer header>.
  • reason = <HTTP response code>.

url_mail

URL from mail detected

An alert was generated by URL Reputation technology or Sandbox in mail traffic.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • externalId = <Email message ID>.
  • suser = <email address of sender>.
  • duser = <email addresses of recipients>.
  • KasperskyLabKATAmailEnvelopeFrom = <sender email address> (from the Received header).
  • KasperskyLabKATAmailFor = <recipient address> (from the Received header).
  • KasperskyLabKATAmailRecievedFromIp = <IP address of the first server in the message delivery chain> (from the Received header).
  • msg = <message subject>.
  • request = <URL of the detected object>.
  • cs2 = <technology that was used to generate the alert> (Sandbox or URL Reputation).
  • cs3Label = <name of the virtual machine on which the file was detected> (only for Sandbox).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification> (for the Sandbox component) or <list of categories> (for URL Reputation).
  • cs3 = <version of databases used to scan the file> (only for Sandbox).

dns

DNS request detected

An alert was generated by URL Reputation technology in DNS traffic.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • dst = <destination IP address>.
  • dpt = <destination port>.
  • src = <source IP address>.
  • spt = <source port>.
  • shost = <name of the host on which the file was detected>.
  • suser = <user name>.
  • cs2 = <list of URL categories to which the domain names belong>.
  • requestMethod = <type of DNS message> (request or response).
  • flexString1 = <type of record from the DNS request>.
  • dhost = <host name from the DNS request>.
  • cs1 = <list of domain names from the DNS response>.

file_endpoint

File from endpoint detected

The alert was generated by the Kaspersky Endpoint Agent component on the user's computer and contains a file.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the file was detected>.
  • fName = <name of the file within the compound object>.
  • fsize = <size of the file within the compound object (in bytes)>.
  • fileType = <format of the file within the compound object>.
  • fileHash = <MD5 hash of the file within the compound object>.
  • KasperskyLabKATAcompositeFilePath = <name of the compound object>.
  • KasperskyLabKATAcompositeFileSize = <total size of the compound object (in bytes)>.
  • KasperskyLabKATAcompositeFileHash = <MD5 hash of the compound object>.
  • KasperskyLabKATAfileSHA256 = <SHA256 hash of the compound object>.
  • cs2 = <technology that was used to detect the file>.
  • cs3Label = <name of the virtual machine on which the file was detected> (only for the Sandbox component).
  • cs1 = <list of types of the detected objects according to the Kaspersky Lab classification>.
  • cs3 = <version of databases used to scan the file>.
  • app = <name of the application-level protocol> (HTTP(S) or FTP).
  • FilePath = <path to the file on the computer with the Endpoint Sensors component>.

iocScanning

IOC has tripped on endpoint

The alert was generated while carrying out an IOC scan of Kaspersky Endpoint Agent for Windows hosts.

This type of alert is available if you are using KEDR functionality.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the file was detected>.
  • cs1 = <name of the IOC file by which the alert was generated>.

taaScanning

TAA has tripped on events database

Alert resulting from the IOA analysis of events.

This type of alert is available if you are using KEDR functionality.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • shost = <name of the host on which the alert was generated>.
  • cs1 = <name of the IOA rule by which the alert was generated>.

yaraScanningEP

YARA has tripped on endpoint

The alert was generated while carrying out a YARA scan of Kaspersky Endpoint Agent for Windows hosts.

This type of alert is available if you are using KEDR functionality.

  • dvchost = <name of server with the Central Node component>.
  • eventId = <alert ID>.
  • rt = <date and time of alert>.
  • src = <source IP address>.
  • shost = <name of the host on which the alert was generated>.
  • cs1 = <name of the YARA rule by which the alert was generated>.

heartbeat

Periodic message containing the state of components.

  • dvchost = <name of server with the Central Node component>.
  • rt = <event date and time>.
  • KasperskyLabKATAcomponentName = <name of the component>.
  • KasperskyLabKATAcomponentState = <status of the component> (0 – OK, >0 – Error).

Page top